Dear all,
 I am trying to understand how channel commitment transactions can be revoked 
with op_checksigfromstack(msg, sig, key) and signed sequence commitments.

I understand that a commitment c(n, randomness)  is signed by both parties for 
each state, and that this signature can be verified with op_csfs(c, sig(A+B), 
key(A+B)). The sequence n is incremented for each new state.

Given the most recent commitment sequence signature (from both parties) and the 
sequence commitment opening (n++, r), an output script of an older, revoked 
commitment transaction can verify that a newer signed commitment sequence 
exists by examining:
op_checksigfromstack(c++, sig(A+B), key(A+B)) 
c++ == commitment(n++, r)
However, it must also have information about its own sequence number n, so it 
can verify that this is indeed lower than n++ (current). How is sequence number 
n committed to the nth commitment tx and accessible on-stack during script 

I learned about this concept from Johnson Lao's and Roasbeef's Talk from 
Scaling Bitcoin at Stanford: 

Any pointers would be very much appreciated.

Kind regards,


Lightning-dev mailing list

Reply via email to